Network Analysis

cargex used Ask the Experts™
Hi Guys,
I'm in charge of a LAN with around 100 users connected to the Internet using a Fiber connection.
This is a call center and the users connect to cloud based applications like Five9, Salesforce, etc.

Particularly Five9 is an application that uses VoIP.
Every once in a while the all the users get disconnected by no apparent reason, this is that I have ruled out the obvious like: Internet connection is up, and Five9 shows as up at least as far as their systems can tell me.
These disconnections happen rarely maybe once every 2 months, and they last 1 minute or so and all the systems come back up again. Just like if there was an Internet disconnection, but there was no Internet disconnection.

What I need to do
I need to run a Network Analysis in my LAN so that I can have a picture of my traffic when everything is working fine (baseline).
And my objective is that when this kind of event happens again I will be able to compare my baseline against the picture of the traffic when the event happened, and hopefully find the culprit.

My Question
I have never done anything like this before, and I did a little searching and I found this tool.

Has any of you use this tool before so that you can give me feedback, is it good, bad?
Can you give me links to sites where somebody has done anything like what I need to do here using this tool?

And finally:
Is this the correct path to find the solution to my issue?

I have created cases with Five9 help support, but honestly they are going nowhere.

Thanking you in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Bill BachPresident and Btrieve Guru
This is what I would do:  Pick a test workstation to work with.  Install the open source Wireshark network analyzer (  Configure it to capture ALL network traffic on the workstation and let it run and capture all data in the background.  (You will want to set up a circular buffer, say 100 files of 32MB each, which will save you the last 3.2GB of data.)  When the failure occurs, show the user how to click STOP on Wireshark to stop capturing.  You will now have a trace of what the workstation sees during the outage.

You may also want to do a similar trace from a workstation connected to the edge switch (i.e. where the Internet router is located), to capture all outbound network traffic.  (This may require using a laptop and a smart switch with port mirroring/spanning capabilities.)  On this system, you could capture all traffic to/from the given MAC or IP address (of the workstation).  When the system fails, get to that Wireshark instance as quickly as you can and stop it there, too.

Once you have the data, you should be able to find the point of the failure, which will likely be in the last trace file, hopefully near the end.  See if you can tell what happened there -- so you see network retransmissions right at the point of failure?  Then, examine the data from the edge switch -- do you see the same retransmissions?  

Having the first trace will give you an idea of what is happening at the point of the failure.  Having the second trace will tell you if the problem is inside your network or outside your network.  In a very large network (i.e. many levels of switches, VLANs, etc.), you might need to perform multiple captures to isolate out different parts of the network in addition.  

Note that reading the trace data is not a beginner-type task, but it requires an understanding of the various networking protocols.  If you are not versed in how TCP works, and other such ways of the networking world, then you might find it easier to hire someone to help with your analysis.


Hi BillBach,
Instructing my users to stop the wireshark unfortunately is not an option as I don't really know which users are going to be affected, as only some of them are in a call at the time the event happens, and it happens once every two months or so, is very rare.

But the I like very much the idea of a trace from a workstation connected to the edge switch, can you please elaborate in the details of that setup?

President and Btrieve Guru
Essentially, you connect the analyzer where it can see the traffic.  If your edge switch is a managed switch, then you should be able to set up port monitoring (sometimes called spanning or mirroring) from the port on the edge of the network to another port.  This will send ALL packets going through the first port to the second.  You'll then be able to monitor the traffic via Wireshark.  If your edge switch is NOT a managed switch, then you can plug in another managed switch in between the current switch and the edge, and capture traffic that way.  (This is, of course, more disruptive to the environment, and may change the way things work.)

Once you have that set up, then you just let Wireshark capture all traffic in a circular buffer and wait for the failure to occur.  Now, in this case, because you'll have OTHER traffic going through the edge at the same time, you'll have to dig through a LOT more data, and try to find the bent needle in the packet haystack.  This is not something that will be easy, but if you know which IP address experienced the failure, then you should be able to at least find the point of the failure and see what was happening at that time.  

Was the network very busy?  Did you see retransmissions?  Did all traffic just STOP from one side or the other?  There will be clues (sometimes very subtle ones) about what is going on in the gobs of data....


Then Wireshark it is.
Thank you very much for all your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial